1

So, in requests in case of SSL verification, we pass verify=True or verify='/path/to/cert. According to the documentation, passing verify=True means that requests checks the SSL certificate on the host. But, in case of passing path to the cert file in verify for requests, it considers the specific cert file for authenticating the request.

Then what is the advantage of passing verify=True in the first place? Since, even if, I pass verify=False, it works correctly. Earlier, I thought, it is generating a self-signed certificate, but I was incorrect. Any help will be appreciated.

phoenix97
  • 179
  • 3
  • 11

1 Answers1

5

Before coming to the different values for verify one needs to understand first, what this verify is about in the first place. It is about validating that the server certificate matches the expected one, which means that there is a direct end-to-end protected connection to the server and there is not some man in the middle who can read and modify the traffic. The server validation is (among other things) based on locally trust root certificates which represent trusted certificate authorities (CA): if no chain from the server provided leaf certificate to any of the local trust anchors can be constructed, then the certificate is not trusted. For more on this see SSL Certificate framework 101: How does the browser actually verify the validity of a given server certificate?.

verify=True then means that the server validation is done to use the default trust anchors, which are commonly the same public root certificates as used in the browser. verify=file.pem means to not use the default trust anchors but instead only the ones given in the specific file. This can be a single CA certificate, can be multiple CA certificates but can also be self-signed certificates expected for a specific server. Both of these options are usually sufficiently secure. But explicitly specifying which CA or certificate is trusted with verify=file.pem is more restrictive and thus more secure.

verify=False instead means that no certificate validation is done at all. This means a man in the middle will not be detected and thus anybody in the middle could sniff and fiddle with the traffic. This is totally unsafe and should never be used for critical data.. Critical data are obviously things like passwords or access tokens, but even exposing the exact URL visited can be considered critical in many cases.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172